[Sunhelp] About snoop
blake.r.matheny at mail.sprint.com
blake.r.matheny at mail.sprint.com
Fri Oct 13 08:15:35 CDT 2000
--openmail-part-2af80f2a-00000001
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
;Creation-Date="Fri, 13 Oct 2000 08:15:35 -0500"
Content-Transfer-Encoding: 7bit
I'm not sure what you want to do, but Dug Song from
http://www.monkey.org/~dugsong/ wrote a program called arpredirect
(along with a bunch of other really useful network testing tools) which
basically forges arp requests on a switched network causing all traffic
to try and route through the box running it, which allows you to sniff
a switched network. The danger of this is that if the tool is used
improperly it creates a DoS on the LAN because no traffic can get out
so be careful with it. As far as Solaris goes I find myself utilizing
tcpdump more than snoop (but I'm also more used to tcpdump). I think
the output is more readable, and there are lots of cool utilities that
utilize it (such as snort). Not very Solaris specific comments but hope
it was helpful.
-Blake
-----Original Message-----
From: sun [mailto:sun at minor-element.net]
Sent: Friday, October 13, 2000 1:22 AM
To: sunhelp
Cc: sun
Subject: Re: [Sunhelp] About snoop
The 'problem' doesn't lie within the sniffer. The whole idea behind
switched networks is that traffic is directed only to the segment where
the destination node is located, no more no less, save broadcast, ARP,
etc
etc. No sniffer can get past this, as it can't 'sniff' what it can't
see.
If you are doing this for a legitimate reason, I suggest using a
mirrored port on the switch for your NIDS/analyzer box.
--
Martin Wedel
sun at minor-element.net
http://www.minor-element.net/
On Fri, 13 Oct 2000, John Lee wrote:
> Hello,
>
> As you know, snoop is very useful tool in troubleshooting. But it has
> limitation when used in a switched network. My question is " Are
there any
> other sniffer tools to address the snoop's limitation ?"
>
> Any ideas or hints will be much appreciated.
>
> Regards.
> John
>
> _______________________________________________
> SunHELP maillist - SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
>
_______________________________________________
SunHELP maillist - SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp
--openmail-part-2af80f2a-00000001--
More information about the SunHELP
mailing list